The long-standing narrative of credit card security is that offline transactions are more secure than online. Today, this narrative is more fiction than fact.
Online transactions are more popular and secure than ever before, thanks to advancements in digital payments technology, demographic shifts, and the evolving cyber-security landscape. At the same time, offline payments seem more insecure than ever before. The outbreak of high-profile security breaches at major retailers has shed light on the fact that offline transactions are vulnerable to attack.
These trends lead us to consider a number of important questions that affect every consumer and retailer — are online transactions more secure than offline, and will this realization propel ecommerce into its next stage of growth?
Offline and Off-Guard
The reality is that security concerns exist whether you are online, offline, or on a mobile device. They exist with credit cards, debit cards, and even cash. A common misconception is that offline is safer than online, but this is changing as a result of the massive security breaches that hit the headlines over the past year.
Target announced that hackers stole personal information from as many as 70 million customer accounts between November 27th and December 15th, 2013. Then, Home Depot announced that 56 million cards were compromised in a five-month attack on its payment terminals. 1.1 million credit cards were exposed in a three-month hack on Neiman Marcus. Hackers also hit grocery chain Supervalu multiple times, which has thousands of locations, and Asian bistro chain P.F. Chang’s saw data stolen from eight of its locations over the course of eight months. Even before these huge hacks took place, retailers were already losing roughly $3.5 billion in ecommerce sales a year due to credit card fraud, according payment processor CyberSource.
If this laundry list of major security breaches isn’t enough to convince consumers that offline payments are just as risky, if not more so, than online payments, I don’t know what is.
When you physically offer up your credit card in a retail store, that merchant still stores data on a computer; those computers are generally Windows PCs running old-school Point-Of-Sale software and storing data in environments that are inherently insecure and inadequate. To process transactions, the payment application has to communicate with the payment terminal, POS, and payment processor, which means sensitive data is constantly being circulated. This makes it vulnerable.
“You walk out of the store while the transaction continues to ricochet across the country — using technology from the 1970s,” Jason Oxman, CEO of the Electronic Transaction Association, told NPR.
“What we need to do in the U.S. is completely replace an architecture that has been deployed over the course of the last 40 years. That’s how long mag stripe cards have been on the market.”
The security guidelines put in place by the major credit card companies were designed for collecting data at rest. That is no longer the world we live in, and today these standards don’t do enough to ensure retailers are protecting consumers’ data. The guidelines don’t require credit card information to be encrypted while traveling through a private computer network, and so hackers can steal data as it moves. PCI data security standards are failing us.
Is Online Safer?
In general, big box retailers don’t make the same commitment to security as online retailers. Overhauling their entire system and taking extra security precautions is an expensive and time-consuming proposition, and so they neglect to take extra measures. This stands in contrast to online retailers, who are built from the ground-up with strict security in mind, because just one hack could destroy their business.
Online retailers also have a greater array of security tools at their disposal — tools that were created for the world we live in today, not the world of a decade ago. Square, for example, encrypts card data on the device. Stripe encrypts all card numbers on a disk with AES-256, and stores decryption keys on separate machines. PayPal’s security key offers a second authentication factor when you are logging in to your account. Online transactions from any reputable vendor are also protected by SSL certificates (to protect data in transit), firewalls, and regular systems scans. Furthermore, consumers are empowered to add extra security layers to online transactions. They can create strong passwords, sign up for identify theft protection services, and keep their anti-virus software up-to-date.